Contrôles Amazon Athena - AWS Control Tower

Les traductions sont fournies par des outils de traduction automatique. En cas de conflit entre le contenu d'une traduction et celui de la version originale en anglais, la version anglaise prévaudra.

Contrôles Amazon Athena

[CT.ATHENA.PR.1] Exiger qu'un groupe de travail Amazon Athena chiffre les résultats des requêtes Athena au repos

Ce contrôle vérifie si un groupe de travail Amazon Athena nécessite que les résultats des requêtes soient chiffrés au repos.

  • Objectif de contrôle : crypter les données au repos

  • Mise en œuvre : règle de AWS CloudFormation garde

  • Comportement de contrôle : proactif

  • Types de ressources : AWS::Athena::WorkGroup

  • AWS CloudFormationrègle de garde : Spécification de la règle CT.ATHENA.PR.1

Détails et exemples

Explication

Pour renforcer la sécurité, vous pouvez chiffrer les résultats de toutes les requêtes Athena dans Amazon S3. L'emplacement où Athena stocke les résultats de ces requêtes est connu sous le nom d'emplacement des résultats Amazon S3.

Considérations d'utilisation
  • Ce contrôle oblige les groupes de travail Athena à remplacer les paramètres du client en exigeant que la EnforceWorkGroupConfiguration propriété soit fournie et définie sur true, ou qu'elle soit omise pour adopter la valeur par défaut true.

Remédiation en cas de défaillance des règles

Dans le WorkGroupConfiguration.ResultConfiguration paramètre, fournissez une EncryptionConfiguration configuration dont la EncryptionOption valeur est définie sur l'une des valeurs CSE_KMS suivantes : SSE_KMS ouSSE_S3.

Les exemples suivants montrent comment mettre en œuvre cette correction.

Groupe de travail Amazon Athena : exemple

Le groupe de travail Amazon Athena est configuré pour chiffrer les résultats des requêtes Athena à l'aide de clés gérées par Amazon S3 (SSE_S3). L'exemple est présenté en JSON et en YAML.

Exemple JSON

{ "AthenaWorkGroup": { "Type": "AWS::Athena::WorkGroup", "Properties": { "Name": { "Fn::Sub": "${AWS::StackName}-example" }, "Description": "Example workgroup", "State": "ENABLED", "WorkGroupConfiguration": { "ResultConfiguration": { "EncryptionConfiguration": { "EncryptionOption": "SSE_S3" } } } } } }

Exemple YAML

AthenaWorkGroup: Type: AWS::Athena::WorkGroup Properties: Name: !Sub '${AWS::StackName}-example' Description: Example workgroup State: ENABLED WorkGroupConfiguration: ResultConfiguration: EncryptionConfiguration: EncryptionOption: SSE_S3

Spécification de la règle CT.ATHENA.PR.1

# ################################### ## Rule Specification ## ##################################### # # Rule Identifier: # athena_workgroup_results_encrypted_at_rest_check # # Description: # This control checks whether an Amazon Athena workgroup requires query results to be encrypted at rest. # # Reports on: # AWS::Athena::WorkGroup # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Parameters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contain any Athena workgroup resources # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has been provided and # set to a value other than bool(true) # Then: FAIL # Scenario: 3 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has not been provided # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has been provided # And: 'EncryptionOption' in 'EncryptionConfiguration' has not been provided or provided as an empty string # Then: FAIL # Scenario: 5 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has been provided # And: 'EncryptionOption' in 'EncryptionConfiguration' has been provided as a non-empty string # Then: PASS # # Constants # let ATHENA_WORKGROUP_TYPE = "AWS::Athena::WorkGroup" let INPUT_DOCUMENT = this # # Assignments # let athena_workgroups = Resources.*[ Type == %ATHENA_WORKGROUP_TYPE ] # # Primary Rules # rule athena_workgroup_results_encrypted_at_rest_check when is_cfn_template(%INPUT_DOCUMENT) %athena_workgroups not empty { check(%athena_workgroups.Properties) << [CT.ATHENA.PR.1]: Require an Amazon Athena workgroup to encrypt Athena query results at rest [FIX]: In the 'WorkGroupConfiguration.ResultConfiguration' parameter, provide an 'EncryptionConfiguration' configuration with an 'EncryptionOption' value set to one of 'CSE_KMS', 'SSE_KMS' or 'SSE_S3'. >> } rule athena_workgroup_results_encrypted_at_rest_check when is_cfn_hook(%INPUT_DOCUMENT, %ATHENA_WORKGROUP_TYPE) { check(%INPUT_DOCUMENT.%ATHENA_WORKGROUP_TYPE.resourceProperties) << [CT.ATHENA.PR.1]: Require an Amazon Athena workgroup to encrypt Athena query results at rest [FIX]: In the 'WorkGroupConfiguration.ResultConfiguration' parameter, provide an 'EncryptionConfiguration' configuration with an 'EncryptionOption' value set to one of 'CSE_KMS', 'SSE_KMS' or 'SSE_S3'. >> } # # Parameterized Rules # rule check(athena_workgroup) { %athena_workgroup { WorkGroupConfiguration exists WorkGroupConfiguration is_struct WorkGroupConfiguration { # Scenario 2 EnforceWorkGroupConfiguration not exists or EnforceWorkGroupConfiguration == true ResultConfiguration exists ResultConfiguration is_struct ResultConfiguration { # Scenario 3 EncryptionConfiguration exists EncryptionConfiguration is_struct EncryptionConfiguration { # Scenarios 4 and 5 EncryptionOption exists check_is_string_and_not_empty(EncryptionOption) } } } } } # # Utility Rules # rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, RESOURCE_TYPE) { %doc.%RESOURCE_TYPE.resourceProperties exists } rule check_is_string_and_not_empty(value) { %value { this is_string this != /\A\s*\z/ } }

Exemples de modèles CT.ATHENA.PR.1

Vous pouvez consulter des exemples d'artefacts de test PASS et FAIL pour les contrôles proactifs de l'AWS Control Tower.

Exemple PASS - Utilisez ce modèle pour vérifier la conformité de la création d'une ressource.

Resources: AthenaWorkGroup: Type: AWS::Athena::WorkGroup Properties: Name: Fn::Sub: ${AWS::StackName}-example Description: Example workgroup State: ENABLED WorkGroupConfiguration: ResultConfiguration: EncryptionConfiguration: EncryptionOption: SSE_S3

Exemple d'échec : utilisez ce modèle pour vérifier que le contrôle empêche la création de ressources non conformes.

Resources: AthenaWorkGroup: Type: AWS::Athena::WorkGroup Properties: Name: Fn::Sub: ${AWS::StackName}-example Description: Example workgroup State: ENABLED WorkGroupConfiguration: EnforceWorkGroupConfiguration: false

[CT.ATHENA.PR.2] Exiger d'un groupe de travail Amazon Athena qu'il crypte les résultats des requêtes Athena au repos avec une clé AWS Key Management Service (KMS) AWS Key Management Service (KMS)

Ce contrôle vérifie si un groupe de travail Amazon Athena est configuré pour chiffrer les résultats des requêtes au repos avec une clé AWS KMS.

  • Objectif de contrôle : crypter les données au repos

  • Mise en œuvre : règle de AWS CloudFormation garde

  • Comportement de contrôle : proactif

  • Types de ressources : AWS::Athena::WorkGroup

  • AWS CloudFormationrègle de garde : Spécification de la règle CT.ATHENA.PR.2

Détails et exemples

Explication

Pour renforcer la sécurité, vous pouvez chiffrer les résultats des requêtes Athena dans le groupe de travail à l'aide d'AWS Key Management Service (KMS).

Considérations d'utilisation
  • Ce contrôle nécessite qu'un groupe de travail Athena remplace les paramètres du client en exigeant que la EnforceWorkGroupConfiguration propriété soit fournie et définie sur true, ou qu'elle soit omise pour adopter la valeur par défaut true.

Remédiation en cas de défaillance des règles

Dans le WorkGroupConfiguration.ResultConfiguration paramètre, fournissez une EncryptionConfiguration configuration avec une option de chiffrement EncryptionOption définie sur une option de chiffrement basée sur KMS et KmsKey définie sur l'identifiant ou l'ARN d'une clé AWS KMS, ou le nom d'un alias de clé AWS KMS.

Les exemples suivants montrent comment mettre en œuvre cette correction.

Groupe de travail Amazon Athena : exemple

Le groupe de travail Amazon Athena est configuré pour chiffrer les résultats des requêtes Athena avec AWS KMS (SSE_KMS). L'exemple est présenté en JSON et en YAML.

Exemple JSON

{ "AthenaWorkGroup": { "Type": "AWS::Athena::WorkGroup", "Properties": { "Name": { "Fn::Sub": "${AWS::StackName}-example" }, "Description": "Example workgroup", "State": "ENABLED", "WorkGroupConfiguration": { "EnforceWorkGroupConfiguration": true, "ResultConfiguration": { "EncryptionConfiguration": { "KmsKey": { "Ref": "Key" }, "EncryptionOption": "SSE_KMS" } } } } } }

Exemple YAML

AthenaWorkGroup: Type: AWS::Athena::WorkGroup Properties: Name: !Sub '${AWS::StackName}-example' Description: Example workgroup State: ENABLED WorkGroupConfiguration: EnforceWorkGroupConfiguration: true ResultConfiguration: EncryptionConfiguration: KmsKey: !Ref 'Key' EncryptionOption: SSE_KMS

Spécification de la règle CT.ATHENA.PR.2

# ################################### ## Rule Specification ## ##################################### # # Rule Identifier: # athena_workgroup_results_encrypted_at_rest_kms_check # # Description: # This control checks whether an Amazon Athena workgroup is configured to encrypt query results at rest with an AWS KMS key. # # Reports on: # AWS::Athena::WorkGroup # # Evaluates: # AWS CloudFormation, AWS CloudFormation hook # # Rule Parameters: # None # # Scenarios: # Scenario: 1 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document does not contain any Athena workgroup resources # Then: SKIP # Scenario: 2 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has been provided and # set to a value other than bool(true) # Then: FAIL # Scenario: 3 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has not been provided # Then: FAIL # Scenario: 4 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has been provided # And: 'EncryptionOption' in 'EncryptionConfiguration' has not been provided or provided as an empty string # And: 'KmsKey' in 'EncryptionConfiguration' has not been provided or provided as an empty string or # invalid local reference # Then: FAIL # Scenario: 5 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has been provided # And: 'EncryptionOption' in 'EncryptionConfiguration' has been provided as a non-empty string # And: 'KmsKey' in 'EncryptionConfiguration' has not been provided or provided as an empty string or # invalid local reference # Then: FAIL # Scenario: 6 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has been provided # And: 'EncryptionOption' in 'EncryptionConfiguration' has not been provided or provided as an empty string # And: 'KmsKey' in 'EncryptionConfiguration' has been provided as a non-empty string or valid local reference to # a KMS key or key alias # Then: FAIL # Scenario: 7 # Given: The input document is an AWS CloudFormation or AWS CloudFormation hook document # And: The input document contains an Athena workgroup resource # And: 'EnforceWorkGroupConfiguration' in 'WorkGroupConfiguration' has not been provided or provided # and set to bool(true) # And: 'EncryptionConfiguration' in 'WorkGroupConfiguration.ResultConfiguration' has been provided # And: 'EncryptionOption' in 'EncryptionConfiguration' has been provided as a non-empty string # And: 'KmsKey' in 'EncryptionConfiguration' has been provided as a non-empty string or valid local reference to # a KMS key or key alias # Then: PASS # # Constants # let ATHENA_WORKGROUP_TYPE = "AWS::Athena::WorkGroup" let INPUT_DOCUMENT = this # # Assignments # let athena_workgroups = Resources.*[ Type == %ATHENA_WORKGROUP_TYPE ] # # Primary Rules # rule athena_workgroup_results_encrypted_at_rest_kms_check when is_cfn_template(%INPUT_DOCUMENT) %athena_workgroups not empty { check(%athena_workgroups.Properties) << [CT.ATHENA.PR.2]: Require an Amazon Athena workgroup to encrypt Athena query results at rest with an AWS Key Management Service (KMS) key [FIX]: In the 'WorkGroupConfiguration.ResultConfiguration' parameter, provide an 'EncryptionConfiguration' configuration with an 'EncryptionOption' set to a KMS-based encryption option, and with 'KmsKey' set to the identifier or ARN of an AWS KMS key, or the name of an AWS KMS key alias. >> } rule athena_workgroup_results_encrypted_at_rest_kms_check when is_cfn_hook(%INPUT_DOCUMENT, %ATHENA_WORKGROUP_TYPE) { check(%INPUT_DOCUMENT.%ATHENA_WORKGROUP_TYPE.resourceProperties) << [CT.ATHENA.PR.2]: Require an Amazon Athena workgroup to encrypt Athena query results at rest with an AWS Key Management Service (KMS) key [FIX]: In the 'WorkGroupConfiguration.ResultConfiguration' parameter, provide an 'EncryptionConfiguration' configuration with an 'EncryptionOption' set to a KMS-based encryption option, and with 'KmsKey' set to the identifier or ARN of an AWS KMS key, or the name of an AWS KMS key alias. >> } # # Parameterized Rules # rule check(athena_workgroup) { %athena_workgroup { WorkGroupConfiguration exists WorkGroupConfiguration is_struct WorkGroupConfiguration { # Scenario 2 EnforceWorkGroupConfiguration not exists or EnforceWorkGroupConfiguration == true ResultConfiguration exists ResultConfiguration is_struct ResultConfiguration { # Scenario 3 EncryptionConfiguration exists EncryptionConfiguration is_struct EncryptionConfiguration { # Scenarios 4, 5, 6 and 7 EncryptionOption exists check_is_string_and_not_empty(EncryptionOption) KmsKey exists check_is_string_and_not_empty(KmsKey) or check_local_references(%INPUT_DOCUMENT, KmsKey, "AWS::KMS::Key") or check_local_references(%INPUT_DOCUMENT, KmsKey, "AWS::KMS::Alias") } } } } } # # Utility Rules # rule is_cfn_template(doc) { %doc { AWSTemplateFormatVersion exists or Resources exists } } rule is_cfn_hook(doc, RESOURCE_TYPE) { %doc.%RESOURCE_TYPE.resourceProperties exists } rule check_is_string_and_not_empty(value) { %value { this is_string this != /\A\s*\z/ } } rule check_local_references(doc, reference_properties, referenced_resource_type) { %reference_properties { 'Fn::GetAtt' { query_for_resource(%doc, this[0], %referenced_resource_type) <<Local Stack reference was invalid>> } or Ref { query_for_resource(%doc, this, %referenced_resource_type) <<Local Stack reference was invalid>> } } } rule query_for_resource(doc, resource_key, referenced_resource_type) { let referenced_resource = %doc.Resources[ keys == %resource_key ] %referenced_resource not empty %referenced_resource { Type == %referenced_resource_type } }

Exemples de modèles CT.ATHENA.PR.2

Vous pouvez consulter des exemples d'artefacts de test PASS et FAIL pour les contrôles proactifs de l'AWS Control Tower.

Exemple PASS - Utilisez ce modèle pour vérifier la conformité de la création d'une ressource.

Resources: Key: Type: AWS::KMS::Key Properties: KeyPolicy: Version: 2012-10-17 Id: example-policy Statement: - Sid: Enable IAM user permissions Effect: Allow Principal: AWS: Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:root Action: kms:* Resource: '*' KeySpec: SYMMETRIC_DEFAULT AthenaWorkGroup: Type: AWS::Athena::WorkGroup Properties: Name: Fn::Sub: ${AWS::StackName}-example Description: Example workgroup State: ENABLED WorkGroupConfiguration: EnforceWorkGroupConfiguration: true ResultConfiguration: EncryptionConfiguration: KmsKey: Ref: Key EncryptionOption: SSE_KMS

Exemple d'échec : utilisez ce modèle pour vérifier que le contrôle empêche la création de ressources non conformes.

Resources: AthenaWorkGroup: Type: AWS::Athena::WorkGroup Properties: Name: Fn::Sub: ${AWS::StackName}-example Description: Example workgroup State: ENABLED WorkGroupConfiguration: ResultConfiguration: EncryptionConfiguration: EncryptionOption: SSE_S3